Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:2; metadata:created_at 2016_06_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)